Community
- Command Central
- MVP Program
- Monthly Mission
- Blogs
- Groups
- Events
- Media Vault
Products
- Observability
- Network Management
- Application Management
- IT Security
- IT Service Management
- System Management
- Database Management
Content Exchange
- SolarWinds Platform
- Server & Application Monitor
- Database Performance Analyzer
- Server Configuration Monitor
- Network Performance Monitor
- Network Configuration Manager
- SQL Sentry
- Web Help Desk
Free Tools & Trials

SSO: Implement realm stripping for External Authentication

All:

I'll be posting everything needed to get WHD working under IIS 7.5, with SSO and proper AD Domain lookup. One thing I could not get past without modifying WHD code is how WHD deals with the auth-user HTTP header used as the external auth source. I'd like to nominate a patch to enable the ability to perform realm stripping on external auth.

Basic Issue: When using WHD with IIS for Single Sign-On, LDAP/AD lookups fail with "invalid separator string" in JNDI.

Reason: IIS sets the auth-user (and logon-user) HTTP Headers to include the domain name in NT4 style (DOMAINNAME\Username). Certain other SSO implementations in Apache use Kerberos-style realm names (username@REALMNAME). WHD uses this information directly as 1) the whduser and 2) the principalname to send to LDAP or AD. Those lookups fail because the principalname (usually the samAccountName or cn) cannot have those special characters.

Partial Workaround: Define technicians in the WHD UI including the realm qualifier (i.e., instead of bob.bobbins, use MYDOMAIN\bob.bobbins). Workaround does not fix LDAP lookups, so clients won't be accurately detected and mapped to LDAP correctly.

New Idea: Add a preference that allows the sysadmin to choose realm stripping behavior, and code to ExternalAuthenticationProvider (in Helpdesk.jar) that:

1. Checks to see if the sysadmin has selected realm-stripping (ex. Preference.EXTERNAL_AUTH_PARAM_STRIP_REALM, set in the WHD General / Authentication tab)

2. Validates that the username obtained via external auth (Web Form, HTTP Header, SAML or CAS) is set

3. Returns a username value without the domain name and backslash, or alternatively, without the realm name and '@'; symbol.

Code:

ExternalAuthenticationProvider.java (roughly line 109)

        if (username != null) {
           if (Preference.EXTERNAL_AUTH_PARAM_STRIP_REALM == 1) {
              username = stripRealmFromExtAuthUser (username);
            }
            ExternalAuthenticationProvider._logger.info((Object)("Obtained username '" + username + "' from external authentication."));
        }
        return username;
    }

New Method:

private static String stripRealmFromExtAuthUser (String rawUsername) {
int idxDomainDelim = 0, idxRealmDelim = 0;
idxDomainDelim = rawUsername.indexOf('\\');
idxRealmDelim = rawUsername.indexOf('@';

if (idxRealmDelim < 0) {
    idxRealmDelim = (rawUsername.length());
}
   return (rawUsername.substring(idxDomainDelim+1, idxRealmDelim));
}